How 1 Million App Calls can Tell you a Bit About Malware – Part 2

In my previous blog post, I described some of my findings regarding malicious mobile apps. In summary, I observed that there are POSIX abstractions, which are popular only for malicious apps. The findings were derived from a study that I did with some colleagues on POSIX (Portable Operating System Interface) abstractions. Recall that, a part of our study involved the examination of the POSIX calls that are used by both benign Android applications (~1 million) coming from the Google Play Store, and malicious Android applications (about 1260 of them) taken from a well-known dataset, which you can download from here.

Figure 1: Potentially Malicious Apps. The identification was based on an SVM Model.

Figure 1: Potentially Malicious Apps. The identification was based on an SVM Model.

Table 2: Indicative potentially malicious apps classified by the SVM model. These apps were identified as malicious by more than 15 antiviruses.

Table 2: Indicative potentially malicious apps classified by the SVM model. These apps were identified as malicious by more than 15 antiviruses.

We performed a further analysis on these results to check if we can create a more robust filter to detect malicious apps, than the simple filter described in my previous post (recall that this filter was based on the three most unpopular abstractions among benign applications and at the same time popular among malicious ones). Our attempt involved the following: we fed a set of benign apps (the 500 most popular apps of the Google Store) and the aforementioned dataset of the malicious apps, to an SVM (Support Vector Machine), a binary classifier that builds a model based on given features (abstractions in our case) to separate the two cases. In this way the classifier can classify a new app as malicious or not. By using the model on the same set of apps that we examined in the previous case, 1283 apps were identified as suspicious. Based on the antiviruses provided by the VirusTotal website again, we found that from these apps, 232 (18%) are potentially malicious. Even if the approach seems less robust than the previous one, Figure 1, illustrates that there are more cases of apps that were indicated as malicious by more than one antivirus. Table 1, presents applications that were filtered out by the SVM model, and were identified as malicious by more than 15 antiviruses.

Figure 2: Potentially Malicious Apps. The identification was based on the obfuscated libraries.

Figure 2: Potentially Malicious Apps. The identification was based on the obfuscated libraries.

Table 2: Indicative potentially malicious apps containing obfuscated libraries. These apps were identified as malicious by more than 22 antiviruses.

Table 2: Indicative potentially malicious apps containing obfuscated libraries. These apps were identified as malicious by more than 22 antiviruses.

Through our experiments, we came across a number of Android apps that included obfuscated libraries (991 apps in total). Given the fact that obfuscation techniques have been extensively encountered while analyzing Android malware, we decided to examine all the apps that contained such libraries by using the 54 antiviruses of the VirusTotal website. Surprisingly, almost half of the apps (481 in total — 48.53%) were classified as suspicious. An interesting observation is that the majority of these apps were indicated as potentially malicious by a large number of antiviruses — see Figure 2. Table 2, presents indicative apps that were identified as malicious by more than 22 antiviruses.

As it is clear, a malware detector cannot be based solely on observations like the aforementioned ones. However, such findings could be useful for the development of complex filters that can help find malicious software.

$500 prize money at the ACM SIGAI Student Essay Contest on the Responsible Use of AI Technologies! Apply now!

  1. Do you have an opinion on the responsible use of AI technologies?
  2. Do you want to win one of several $500 cash prizes?
  3. Do you want to talk one-on-one (via skype) to one of the following AI researchers:
  • Murray Campbell (Senior Manager, IBM Thomas J. Watson Research Center)
  • Eric Horvitz (Managing Director, Microsoft Research)
  • Peter Norvig (Director of Research, Google)
  • Stuart Russell (Professor, University of California at Berkeley) or
  • Michael Wooldridge (Head of the CS Department, University of Oxford)?

Read on!

Continue reading

Who Owns Your Device?

We live in an amazing era of technology. The Internet has opened doors that have been dreamed of for years. By adding computing technology to everyday devices, like televisions, thermostats, appliances, and others, we’ve been able to automate many aspects of our daily life. The ideal experience might look something like this 50s ‘futurist’ promotional film entitled “Design For Dreaming”.

The idea of technology being embedded in every object around you is called The Internet of Things, and is one of the fastest growing areas of emerging technology. These days, manufacturers are adding Internet connection to all types of devices around you. One of the most famous examples is the Nest Thermostat [LINK]. This thermostat allows the user to adjust the temperature throughout the day, and eventually learns the user’s patterns, thereafter adjusting the temperature without intervention.

But there’s a dark side to this kind of technology, one that is becoming more visible as the technology goes through growing pains. In this article, we will discuss some of the major issues with putting a computer in every device you own (or don’t really own, as the case may be). We focus on the domestic space, rather than the industrial space, which has its own challenges and benefits. We discuss both the value and problems with adding an internet connection to a device that previously never needed an internet connection, including the reliance on a company to provide updates, security and privacy concerns, and finally judging the value that these additions provide.

Continue reading

How 1 Million App Calls can Tell you a Bit About Malware – Part 1

Recently, I collaborated with a number of researchers from the Software Systems Laboratory of Columbia University, on a study regarding POSIX (Portable Operating System Interface) abstractions. In a nutshell, we measured how and to what extent traditional POSIX abstractions are being used in modern operating systems, and whether new abstractions are taking form, dethroning traditional ones. The results of this study were presented at the 11th European Conference on Computer Systems (EuroSys ’16).

Continue reading

How to Automatically Scan Multiple Files with Multiple Antiviruses

Recently, I’ve been working on a project where I needed to scan a large number of .apk files for potential malware or malicious intent. Given the fact that antiviruses produce many false positives, it would be better for me to scan the files by using more than one antivirus. During a discussion with a colleague, he mentioned the VirusTotal service. VirusTotal is a free service in which a web user can scan files and URLs to see if they are related to any kind of malicious behavior (viruses, worms, Trojans, etc.). To do so, it uses 55 different antiviruses and 61 scan engines. Using it is pretty straightforward: users upload a file and when the engines finish their analysis the results are displayed. Continue reading